ESET reported Peru and neighboring countries as the target but I noticed that one of the samples' (MD5 25c7e10bb537b4265f6144f2cd7f6d95) original name is 未命名1 (Unnamed 1), so I wonder if some targets/sources were Chinese speaking.

P.S. The samples were donated by an anonymous but the original source is someone from Malwarebytes forum and I want to thank him/her (sorry don't know the name) for sharing. I hope they do not mind me posting them here.

Thursday, June 21, 2012

The CitizenLab published their report of the Blackshades RAT used by Syrian Electronic Army against activists. No need repeat their excellent analysis but you wish to analyze Blackshades and other RAT that were used in the Syrian attacks, here are the samples for

Friday, June 15, 2012

CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.

For analysis info, see the AlienVault link below and the Metasploit module and demo.

P.S. In case you wonder, I
have not stopped doing malware analysis, I still do, but as as a longer
term offline project combined with studying/reading. I pause what I am
doing to share samples that come along and better be posted sooner - as
is, as I do not want to wait until I write up something more expanded. Since most
people prefer doing analysis on their own and I add reference links, I
don't think it is a huge disappointment :) ~ Mila

Tuesday, June 12, 2012

While working on a project unrelated to Contagio, I collected a number of CVE-2012-0158 exploit documents (mostly RTF) via going through my own collection and what was shared (and publicly sharable) by Contagio readers. This post contains 90 files, mostly APT targeted but I did not analyze all and cannot guarantee that. These are CVE-2012-0158 exploits for files from April-June 2012. Some of them were already posted on Contagio.
The files inside the zip are named by SHA256_original file name.doc. I think I will be using SHA256 now for naming because it is more standard now and it is much easier to auto generate VT links. The table below shows everything inside the archive with auto generated Virustotal links.
Some of them had Japanese and Chinese names that are now translated in English (with (JP) and (CN) in the name)

Wednesday, June 6, 2012

Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.